Under rules approved this week, banks and other financial institutions will be required to inform customers if their private information has been obtained by hackers or identity thieves and is likely to be misused.

Under the new regulations, breaches of private information must be reported to the people affected if the financial institution determines that data have been, or could be, illicitly used. These rules take effect immediately for federal and state-chartered banks, and savings and loans.

The rules come at a time of public fears about identity theft. In the past several weeks, two large information brokerage firms had breaches resulting in records on nearly 175,000 consumers falling into the hands of identity thieves. The new rules, however, do not apply to such firms, or to credit unions or credit-reporting agencies.

The rules cover thousands of financial institutions regulated by four agencies that coordinated their rulemaking: the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.

That would include institutions such as Bank of America Corp., which disclosed recently that it had lost computer tapes that contained financial data on over 1.2 million federal workers, including members of Congress.

Under the new rules, which are part of several measures implemented since the passage of a banking modernization law in 1999, financial institutions must immediately report security breaches to their regulators and to law enforcement agencies.

However, the disclosure to consumers has an exception. After industry lobbying, the rules were modified to allow an institution to investigate whether a breach would be likely to result in misuse of the data. If the institution determines that misuse is unlikely, then it need not report the breach to its customers.

Financial-services firms were concerned that they might be burdened by expensive reporting requirements and could subject consumers to needless worry if systems were breached but the data had not been taken by identity thieves.

Some privacy advocates fear that allowing institutions to make the decision whether a threat to consumers exists could diminish their incentive to improve security.

"If people are doing a good job [of security], there should be no notices" of breaches, said Deirdre K. Mulligan, director of the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley.

Ms. Mulligan said data could be compromised in ways not apparent to the companies that have been breached.

Security breaches have been publicized by several organizations whose systems were compromised, but computer-security experts say many more are not because companies do not want customers to be worried that their systems are vulnerable. Until recently, the only requirement that consumers were to be told that their data might have been stolen is a California law that forces notification by any company having customers in the state. But the recent breaches have prompted several members of Congress, the head of the Federal Trade Commission and some industry groups to call for national notification legislation.

A spokesman for the National Credit Union Administration said he expects that notification guidelines will be developed in the next few months.

If you would like more information regarding asset protection, trusts, family limited partnerships or the subject of this article please call or email our office.